RSA Product Set: RSA
After sending an email to a customer, the following response shows in case notes:
Your email may not have been delivered. See the attached delivery notification.
You're getting this message because your organization elected to forward delivery status notifications for emails you send.
RSA has received reports of customers who have been unable to receive emails from our customer support ticketing system and/or our ID Plus mail service.
The following information is intended to assist email administrators is troubleshooting email delivery problems.
- RSA uses the @rsa.com and @securid.com domains for customer support and product notifications.
- RSA does send certain emails using third party services such as Salesforce or Amazon Simple Email Service.
- RSA has configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) signing, and a Domain-based Message Authentication Reporting and Conformance (DMARC) policy which is set to reject to minimize the risk of emails being spoofed from our domains.
- RSA has ensured that all third party services which send email on our behalf are properly configured to align with our DMARC policy – that is, the message is signed with our published DKIM keys and/or passes SPF record checks.
In cases where RSA has been asked to investigate failed email delivery, we have found that the most common cause for the message being rejected is a dual mail filter on the recipient’s end. In these cases, the recipient had a mail filter which rejects, quarantines, or delivers the email to the destination mail server. If the destination mail server also has filtering enabled, special configuration is required to prevent an SPF (and in some cases DKIM) failure.
This behavior happens because routing the mail through the upstream filter causes the destination server to see the mail filter’s IP as the sending IP and therefore fail SPF checks. Additionally, some mail filters will also modify the message causing an invalid DKIM signature due to the hash of the message being invalidated.
To prevent these issues, the destination mail server must be properly configured. One way to accomplish this is by disabling all spam filtering on the destination server and relying on the mail filter to perform all inspection. Some email providers (for example, Microsoft) have additional options that allow some filtering to remain in place on the destination server.
Below are some links to documentation from vendors that explain the configuration required to accommodate upstream mail filtering.
Related Articles
The letter case of column alias names in RSA Identity Governance and Lifecycle tabular reports is not retained Number of Views Distribution of Software token with a binding DeviceSerialNumber may not be Case Sensitive Number of Views Navigating the Case Portal in the RSA Community (Video) Number of Views RSA Identify Governance and Lifecycle Password Challenge Questions "Challenge Responses" are case sensitive Number of Views How to rollback to a previous version in case of virtual application patch failures in RSA Identity Governance & Lifecycle… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
